1 Topic by Neil.Kurzman (edited by Neil.Kurzman 2025-12-31 00:04:50)

  • Registered: 2025-08-04
  • Posts: 15

Topic: Azure Limiting Cypyers

I am getting an MQTT Error 5
This is related to it rejecting Cyphers
The List Below is the Acceptable list as of August 31, 2025
Oddly I can connect to one Hub But Not a Second.
Does Wolf SSL V 3.9.0 handle anything in the Below List?
I am using Microchip Harmony V1.11 so I am limited to V3.9.0
Does SLL Choose the Cypher or do I need to set it.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 391

Re: Azure Limiting Cypyers

Hello Neil,

Yes those ciphers are supported wolfSSL v3.9.0. Do you have a packet capture and / or wolfSSL debug log of the succeeding and failing connections?

The server ultimately chooses the cipher suite based on the list sent during the client hello message of the TLS handshake.

Please feel free to open a support ticket by emailing support@wolfssl.com to get more detailed help.

Kind regards,
Eric - wolfSSL Support

embhorn's Website

Share

  • Registered: 2025-08-04
  • Posts: 15

Re: Azure Limiting Cypyers

I am trying to use the log to debug it will required some work in my embedded system.
There does not appear to be any function to get the list, or to get the current cypher.  Is the correct?

I found to enable the Cypher i needed to enable options in the Harmony Cyphers are we as The Wolf SSL Cyphers.

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 391

Re: Azure Limiting Cypyers

You can set the cipher list like this:

#define CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305"

    /* Set cipher list */
    if ((ret = wolfSSL_CTX_set_cipher_list(ctx, CIPHER_LIST))
            != WOLFSSL_SUCCESS) {
        fprintf(stderr, "ERROR: failed to set cipher list\n");
        goto exit;
    }

You can print the available ciphers like this:

static void ShowCiphers(void)
{
    static char ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
    int ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));
    if (ret == WOLFSSL_SUCCESS) {
        printf("%s\n", ciphers);
    }
}

embhorn's Website

Share

  • Registered: 2025-08-04
  • Posts: 15

Re: Azure Limiting Cypyers

Azure is Selecting:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Azure Requires:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

what Option would I need to select this in Harmony?
I see that some Items are in the Wolf SSL section, but other are in the Harmony Ciphers Section.

The Cipher List is:
DES-CBC3-SHA:
AES128-SHA:
AES256-SHA:
DHE-RSA-AES128-SHA:
DHE-RSA-AES256-SHA:
DHE-PSK-AES128-GCM-SHA256:
DHE-PSK-AES128-CBC-SHA256:
DHE-PSK-AES128-CCM:
DHE-PSK-AES256-CCM:
HC128-SHA:
AES128-CCM-8:
AES256-CCM-8:
AES128-SHA256:
AES256-SHA256:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES256-SHA256:
AES128-GCM-SHA256:
DHE-RSA-AES128-GCM-SHA256

That You for the link to the Function

I found wolfSSL_get_cipher() for the Current Cipher

Share

6 Reply by Neil.Kurzman (edited by Neil.Kurzman 2026-01-07 01:49:06)

  • Registered: 2025-08-04
  • Posts: 15

Re: Azure Limiting Cypyers

Enabling ECC enables ECDH

I still have an Issue, But I am not sure where it is at this time

Share

7 Reply by Neil.Kurzman (edited by Neil.Kurzman 2026-01-08 01:27:58)

  • Registered: 2025-08-04
  • Posts: 15

Re: Azure Limiting Cypyers

Does any one know the settings to enable TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)
or                                                           TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    (0xC02F)

is this enough for V3.9.0?

#define HAVE_AESGCM
#define HAVE_ECC
   
#define HAVE_SUPPORTED_CURVES
#define HAVE_TLS_EXTENSIONS /* Enable the NIST Curve */
#define HAVE_ECC256                /* Enable the NIST Curve */
#define HAVE_CURVE25519         /* Enable the Modern Curve */

Does it need a Certificate or an enable for it?

It shows up in clientHello, but
Azure is still choosing 0x009c

I do not have a Linux Machine.
is there a way to determine why it is not choosing the correct cipher?

Share

  • Registered: 2025-08-04
  • Posts: 15

Re: Azure Limiting Cypyers

The Issue here is that even though it is precenting the Ciphers in Client Hello, the Correct extensions to be used with the Ciphers are not enabled with the cipher. so they are rejected as valid.

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 391

Re: Azure Limiting Cypyers

Hi Neil,

Please open a support ticket by emailing support@wolfssl.com

From there we can better assist you.

Thanks,
Eric - wolfSSL Support

embhorn's Website

Share

10 Reply by Neil.Kurzman (edited by Neil.Kurzman 2026-01-20 01:15:30)

  • Registered: 2025-08-04
  • Posts: 15

Re: Azure Limiting Cypyers

My Issue is the Calls
       wolfSSL_UseSupportedCurve(client->tls.ssl, WOLFSSL_ECC_SECP256R1);
       wolfSSL_UseSNI(client->tls.ssl, WOLFSSL_SNI_HOST_NAME, "my iot.azure-devices.net", sizeof("my iot.azure-devices.net");

These need to be called after the SSL Object (Struct) is created
But before
wolfSSL_connect() is called

Is there a correct place to do this or a callbacK?

in nt MqttSocket_Connect(MqttClient *client, const char* host, word16 port,
    int timeout_ms, int use_tls, MqttTlsCb cb)

Use MqttTlsCb cb? ( This does Not Work)

Share

  • Registered: 2025-08-04
  • Posts: 15

Re: Azure Limiting Cypyers

Azure will accept Cipher Suites that it will refuse to Use.
Note I did not Use "client->tls.ctx"
So the MQTT Code works as is.
The Only issue is it does not Return CONNAK and some error codes
This may be addressed in later versions. ( I did not Check). The data is available to the end user in the returned data.


Note: The DPS Server will will not accept the same Cipher Suites


To Minimize Cypher and use the Minimum Allowed Cipher

in Config.h:



#define USE_FAST_MATH

#define TFM_TIMING_RESISTANT

#define NO_WOLFSSL_SERVER

//#define NO_DSA  // Needed for Base64 Encode

//#define NO_HMAC  // Needed for sasTokenCreate

//#define NO_RSA  // This allows ECDSA and RSA

#define NO_DES3   // Disable all the weak Ciphers ...

#define NO_DH

#define NO_MD4

#define NO_MD5

#define NO_PWDBASED

#define NO_RC4

#define NO_RABBIT

#define NO_HC128

#define NO_SHA

#define SHA_DIGEST_SIZE 20 // Cover Bug in NO_SHA

#define WOLFSSL_SHA512

//#define HAVE_AESCCM    // for CBC

#define HAVE_AESGCM     // for GCM

#define HAVE_ECC

   

#define HAVE_SUPPORTED_CURVES  // Suppport to enable Supported curves

#define HAVE_TLS_EXTENSIONS   /* for ECC Curve and SNI */

#define HAVE_ECC256       /* Enable the NIST Curve */

#define HAVE_CURVE25519     /* Enable the Modern Curve */

#define HAVE_ECC_SECP256R1   /* NIST P-256 for Azure compatibility */

   

#define HAVE_SNI        // Server Name Enable

#define HAVE_MAX_FRAGMENT    // Allow shorter TLS Packets

#define HAVE_TRUNCATED_HMAC   // Allow shorter HMAC Packets

   

#define ENABLE_MQTT_TLS

#define NO_OLD_TLS       // disable anything below TLS1.2



#define WOLFMQTT_NONBLOCK



in the mqtt_tls_cb:





static int mqtt_tls_cb(MqttClient* client)

{

  const char* cipherSuites = "";



  int rc = SSL_FAILURE;



  client->tls.ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());

  if (client->tls.ctx)

  {

    wolfSSL_CTX_set_verify(client->tls.ctx, SSL_VERIFY_PEER, mqtt_tls_verify_cb);



    if(azureDpsState == eDPS_STATE_STARTED)

    {

      cipherSuites = "ECDHE-RSA-AES128-GCM-SHA256";  // DPS Uses This (Azure Does Not)

    }

    else

    {

      cipherSuites = "ECDHE-ECDSA-AES128-GCM-SHA256"; // A Recommended Cipher for Azure

    };

   

    if(wolfSSL_CTX_SetMinVersion  (client->tls.ctx, WOLFSSL_TLSV1_2)    != SSL_SUCCESS)SYS_DEBUG_BreakPoint();

    if(wolfSSL_CTX_UseSupportedCurve(client->tls.ctx, WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS)SYS_DEBUG_BreakPoint();

    if(wolfSSL_CTX_set_cipher_list (client->tls.ctx, cipherSuites)     != SSL_SUCCESS)SYS_DEBUG_BreakPoint();

    if(wolfSSL_CTX_UseSNI      (client->tls.ctx, WOLFSSL_SNI_HOST_NAME, azureHostname, strnlen(azureHostname, sizeof(azureHostname))) != SSL_SUCCESS)SYS_DEBUG_BreakPoint();

Share